Analyzing Apps and Communications with Autopsy...VCards Browsers Chrome Firefox IE Edge Safari Underlined items are new since last year. OCTOBER 16, 2019・HERNDON, VA・HOSTED BY

OCTOBER 16, 2019・HERNDON, VA・HOSTED BY

Analyzing Apps and Communications with Autopsy

Raman AroraDanny Smyda


Goal

● Introduce and review Communications Analysis features in Autopsy.

● Introduce new module writing support for apps.

● Get feedback on additional apps you’d like support for.


Why Use Autopsy for Apps and Communications

● Dedicated communications interface allows you to quickly focus on relevant accounts and messages.

● Support for both computer and phone formats allow you to see and correlate all data in a single case.

● Plug-in framework allows you and others to write modules to support new apps.


Supported Inputs

● Autopsy does not acquire data from a phone.

● Supported Inputs:○ Physical images

■ File systems: HFS+, Ext4, Yaffs2, FAT (media card)○ File system dumps○ USB-attached device


Adding a Physical Image


Adding a Physical Image


Data Parsed from Computer Media

Emails● PST ● MBOX● EML

Contacts● VCards

Browsers● Chrome● Firefox● IE● Edge● Safari

Underlined items are new since last year.


Data Parsed from Phone MediaMessaging/Calling

- Android SMS, Call Logs- Words With Friends- Tango- WhatsApp- Skype- Facebook Messenger- Viber- Line- TextNow- IMO

File Sharing

- ShareIt- Xender- Zapya

Browsers

- Android- Opera- S(amsung)Browser

Maps

- Orux- Google Maps

Underlined are new.

Many more to come...


Select Ingest Modules


Viewing Results in Tree● Generic display● Organized by artifact type● No filtering or sorting

View From Tree

● Generic table display● Columns are Name/values● No filtering, some sorting


Communications Viewer - Overview

An intuitive and user-friendly interface to view communications.● Organizes accounts that were found (such as phone number or

email).● Shows all messages, calls, and contact book entries

associated with an account.● Allows for filtering based on account types and dates.

Funded by DHS S&T


Communications Viewer


Communications Viewer - Filtering


Communications Viewer - Accounts Browser


Accounts Browser - Contact Book


Communications Viewer - Visualizer

Graphical Visualization

● Helps identify more active accounts and clusters● Link analysis


Communications Viewer - Walkthrough


Communications Viewer - Walkthrough


How to Support New Apps(Quick overview for developers)


The Need for Plugin Modules

● New apps are constantly being released and may not yet be officially supported.

● Apps change their database schemas and existing parsers may fail or not get all available data.

● You can help the community by writing and updating app parsers.


Why Build Modules in Autopsy

● Building a standalone parser requires: ○ Dealing with different inputs and finding the databases○ Querying the databases tables○ Storing, displaying, and reporting on the results.

● Building an Autopsy module allows you to focus on bullet #2. ○ It hides that the input is an image or file system collection○ It provides UIs○ It provides reporting

● All you need to think about is how to query a database


Expanding “Official Autopsy” Modules

● If you find that Autopsy’s support for an app needs to be updated, you can update its module.

● We’ve written them in Python to make it easy for the community to update.

● You can find the modules in the InternalPythonModules directory.● Simply update the query and submit a GitHub Pull Request.


Expanding “Official Autopsy” Modules


Making Your Own Module

● If you want to support a new app, you can make your own module. ● It will be available to select in the list of Ingest Modules.● To make a Python module, you need to:

○ Copy and paste our sample module.○ Search for “TODO” and update things like the module name.○ Write some code in the “process” method that will get called

when the user picks your module.

● Go to “Writing Autopsy Python Module” talk for more details.


Building an App Parser (The old way)1. Query the FileManager for specific database files. Repeat query for WAL/SHM files.2. Save the database files to disk3. Open the database4. Query the database tables5. Research which of the 40+ artifact types should be used (such as TSK_CONTACT)6. Research which of the 100+ attribute types are relevant (such as TSK_PHONE_NUMBER)7. For each entry:

○ Make an artifact with attributes○ Make an “account” (for the Communications UI)○ Make “relationships” between all of the accounts (for the Communications UI)○ “Post” that the artifact was created, so that UI refreshes and it is indexed


Problem/Solution

Problems- Many app modules have a lot of copy and pasted code and we want to make app modules

as simple as possible. - It is hard for writers to know which artifacts and attributes to use.- It can be hard to get all of the account and relationship information correct.

Solution- Build new classes to streamline the process and minimize code that modules need to

have.


Building an App Parser (The new way)

1. Search for and open databases and associated WAL/SHM in a single method call. 2. Query the database tables3. For each entry:

a. Call a single method that creates artifacts, attributes, and relationships

No need to:● Explicitly find and save WAL/SHM files● Research all of the artifact / attribute types● Learn about all of the communication-specific data types


New Classes

● AppSQLiteDB○ Finds and opens application databases. Simplifies running queries

● CommunicationArtifactsHelper○ Adds messages, call logs and other communication artifacts

● WebBrowserArtifactsHelper○ Adds web cookies, bookmarks and other browser artifacts

● ArtifactsHelper○ Adds GPS coordinates and other miscellaneous artifacts

No additional work is necessary to make data visible in the Communications UI or Results Tree.


Example: Finding Viber Databases

AppSQLiteDB.findAppDatabases(data_source, “viber_data”, True, “com.viber.voip”)

This will return a list of databases with that name in the specified folder.

Database name Folder name


Example: Querying Viber Database

app_database.runQuery(“SELECT phonebook.name,

phonebook.home_phone,

phonebook.work_phone,

phonebook.email

FROM phonebook”)

This will return a database cursor for the query results.


Example: Storing the Data

CommunicationHelper.addContact(“John Doe”, “413-362-1253”, “”, “512-126-2363”, “[email protected]”)

Note: You may pass null or the empty string for data you don’t know.


What's Coming Next?

● More app parsers● Ability to import reports from other mobile forensics tools

● Better association between messages and attachments that are stored in some other part of the file system

● Adding more features to accounts○ Linking accounts to a person○ Mapping an account to all its known user names


Reach Out!

● If you have any development challenges, post a question on the forum:

http://forum.sleuthkit.org● If you have app requests, let us know now or on the survey.

http://forum.sleuthkit.org

Documents

Analyzing Apps and Communications with Autopsy...VCards Browsers Chrome Firefox IE Edge Safari Underlined items are new since last year. OCTOBER 16, 2019・HERNDON, VA・HOSTED BY